CCNA Access List Workbook With Answers

  • View
    4.591

  • Download
    160

Embed Size (px)

Text of CCNA Access List Workbook With Answers

ACLStandard

Extended

Any

Access 0.0.0.0 Listspermitdeny

WorkbookVersion 1.0

Instructors Edition

access-groupWildcard Mask

access-list

Access-List NumbersIP Standard IP Extended Ethernet Type Code Ethernet Address DECnet and Extended DECnet XNS Extended XNS Appletalk 48-bit MAC Addresses IPX Standard IPX Extended IPX SAP (service advertisement protocol) IPX SAP SPX Extended 48-bit MAC Addresses IPX NLSP IP Standard, expanded range IP Extended, expanded range SS7 (voice) Standard Vines Extended Vines Simple Vines Transparent bridging (protocol type) Transparent bridging (vender type) Extended Transparent bridging Source-route bridging (protocol type) Source-route bridging (vender type) 1 100 200 700 300 400 500 600 700 800 900 1000 1000 1100 1200 1300 2000 2700 1 101 201 200 700 1100 200 700 to to to to to to to to to to to to to to to to to to to to to to to to to to 99 199 299 799 399 499 599 699 799 899 999 1099 1099 1199 1299 1999 2699 2999 100 200 300 299 799 1199 299 799

Produced by: Robb Jones jonesr@careertech.net Frederick County Career & Technology Center Cisco Networking Academy Frederick County Public Schools Frederick, Maryland, USA Special Thanks to Melvin Baker and Jim Dorsch for taking the time to check this workbook for errors. Instructors (and anyone else for that matter) please do not post the Instructors version on public websites. When you do this your giving everyone else worldwide the answers. Yes, students look for answers this way. It also discourages others; myself included, from posting high quality materials. Inside Cover

What are Access Control Lists?ACLs... ...are a sequential list of instructions that tell a router which packets to permit or deny.

General Access Lists InformationAccess Lists... ...are read sequentially. ...are set up so that as soon as the packet matches a statement it stops comparing and permits or denys the packet. ...need to be written to take care of the most abundant traffic first. ...must be configured on your router before you can deny packets. ...can be written for all supported routed protocols; but each routed protocol must have a different ACL for each interface. ...must be applied to an interface to work.

How routers use Access Lists(Outbound Port - Default) The router checks to see if the packet is routable. If it is it looks up the route in its routing table. The router then checks for an ACL on that outbound interface. If there is no ACL the router switches the packet out that interface to its destination. If there is an ACL the router checks the packet against the access list statements sequentially. Then permits or denys each packet as it is matched. If the packet does not match any statement written in the ACL it is denyed because there is an implicit deny any statement at the end of every ACL.

1

Standard Access ListsStandard Access Lists... ...are numbered from 1 to 99. ...filter (permit or deny) only source addresses. ...do not have any destination information so it must placed as close to the destination as possible. ...work at layer 3 of the OSI model.

Why standard ACLs are placed close to the destination.If you want to block traffic from Juans computer from reaching Janets computer with a standard access list you would place the ACL close to the destination on Router D, interface E0. Since its using only the source address to permit or deny packets the ACL here will not effect packets reaching Routers B, or C. Router B S0 S1 E0 Router D S1 E0

Router A S0 E0

Router C S1 S0 E0

Matts Computer Juans Computer Jimmys Computer

Janets Computer

If you place the ACL on router A to block traffic to Router D it will also block all packets going to Routers B, and C; because all the packets will have the same source address.

2

Standard Access List Placement Sample ProblemsFA0 Router A FA1

Juans Computer

Jans Computer

In order to permit packets from Juans computer to arrive at Jans computer you would place the standard access list at router interface ______. FA1

E0

S0

Router A

E1 S1 Router B

Lisas Computer

Pauls Computer

Lisa has been sending unnecessary information to Paul. Where would you place the standard ACL to deny all traffic from Lisa to Paul? Router Name ______________ Interface ___________ Router B E1 Where would you place the standard ACL to deny traffic from Paul to Lisa? Router Name ______________ Interface ___________ Router A E0

3

Standard Access List PlacementRouter B S0 S1 Router A E0 S0 S1 FA1 S1 Router C

Rickys Computer

Jennys Computer

Amandas Computer

Georges Computer

Carrols Computer

Kathys Computer

S1 Router D S0Jims Computer

E0

Jeffs Computer

S1 E0 S0 Router E FA1 S1 Router F

Lindas Computer

Sarahs Computer

Jackies Computer

Melvins Computer

4

Standard Access List Placement1. Where would you place a standard access list to permit traffic from Rickys computer to reach Jeffs computer? 2. Where would you place a standard access list to deny traffic from Melvins computer from reaching Jennys computer? 3. Where would you place a standard access list to deny traffic to Carrols computer from Sarahs computer? 4. Where would you place a standard access list to permit traffic from Rickys computer to reach Jeffs computer? 5. Where would you place a standard access list to deny traffic from Amandas computer from reaching Jeff and Jims computer? 6. Where would you place a standard access list to permit traffic from Jackies computer to reach Lindas computer? 7. Where would you place a standard access list to permit traffic from Georges computer to reach Carrol and Amandas computer? 8. Where would you place a standard access list to deny traffic to Jennys computer from Jackies computer? 9. Where would you place a standard access list to permit traffic from Georges computer to reach Linda and Sarahs computer? 10. Where would you place an ACL to deny traffic from Jeffs computer from reaching Georges computer? 11. Where would you place a standard access list to deny traffic to Sarahs computer from Rickys computer? 12. Where would you place an ACL to deny traffic from Lindas computer from reaching Jackies computer?

Router D Router Name_________________ Interface ____________________ E0 Router A Router Name_________________ Interface ____________________ E0 Router C Router Name_________________ Interface ____________________ FA1 Router D Router Name_________________ Interface ____________________ E0 Router D Router Name_________________ Interface ____________________ E0 Router E Router Name_________________ Interface ____________________ E0 Router C Router Name_________________ Interface ____________________ FA1 Router A Router Name_________________ Interface ____________________ E0 Router E Router Name_________________ Interface ____________________ E0 Router C Router Name_________________ Interface ____________________ FA1 Router E Router Name_________________ Interface ____________________ E0 Router F Router Name_________________ Interface ____________________ FA15

Extended Access ListsExtended Access Lists... ...are numbered from 100 to 199. ...filter (permit or deny) based on the: source address destination address protocol port number

... are placed close to the source. ...work at both layer 3 and 4 of the OSI model.

Why extended ACLs are placed close to the source.If you want to deny traffic from Juans computer from reaching Janets computer with an extended access list you would place the ACL close to the source on Router A, interface E0. Since it can permit or deny based on the destination address it can reduce backbone overhead and not effect traffic to Routers B, or C. Router B S0 S1 FA0 Router D S1 E0

Router A E0 S0

Router C S1 S0 E0

Matts Computer Juans Computer Jimmys Computer

Janets Computer

If you place the ACL on Router E to block traffic from Router A, it will work. However, Routers B, and C will have to route the packet before it is finally blocked at Router E. This increases the volume of useless network traffic.

6

Extended Access List Placement Sample ProblemsE0 E1

Router A

Juans Computer

Jans Computer

In order to permit packets from Juans computer to arrive at Jans computer you would place the extended access list at router interface ______. E0

FA0

S0

Router A

FA1 S1 Router B

Lisas Computer

Pauls Computer

Lisa has been sending unnecessary information to Paul. Where would you place the extended ACL to deny all traffic from Lisa to Paul? Router A Router Name ______________ Interface ___________ FA0 Where would you place the extended ACL to deny traffic from Paul to Lisa? Router Name ______________ Interface ___________ Router B FA1

7

Extended Access List PlacementRouter B S0 S1 Router A FA0 S1 S0 E1 S1 Router C

Rickys Computer

Jennys Computer

Amandas Computer

Georges Computer

Carrols Computer

Kathys Computer

S1 Router D S0Jims Computer

FA0

Jeffs Computer

S1 FA0 S0 Router E FA1 S1 Router F

Lindas Computer

Sarahs Computer

Jackies Computer

Melvins Computer

8

Extended Access List Placement1. Where would you place an ACL to deny traffic from Jeffs computer from reaching Georges computer? 2. Where would you place an extended access list to permit traffic from Jackies computer to reach Lindas computer? 3. Where would you place an extended access list to deny traffic to Carrols computer from Rickys computer? 4. Where would you pla